search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
2.93k stars 407 forks source link

Escrow Activation Lock Bypass Codes in Fleet #17164

Closed nonpunctual closed 2 days ago

nonpunctual commented 6 months ago

UPDATE: Closed this issue because it's a duplicate of the following issue:

(noahtalerman)

Customer is requesting information about activation lock bypass code features in Fleet.

Activation Lock Bypass Code is a string that can be collected from an Apple supervised / managed device & escrowed to PREVENT iCloud Activation Lock if an end user logs into an iCloud account & leaves the account logged in when their device is returned to an organization's IT team.

The Bypass Code disassociates the device from the iCloud account so the org that owns it can erase it for repurposing. Without disassociating the logged-in iCloud account, a managed device logged can't be erased by the organization that owns it.

Acitvation Lock can be extremely difficult for IT depratments to manage because of the logistics & sometimes legality of contacting former employees that have left an organization. Apple's process for unlocking devices is time-consuming & only allows temporary window of resolution. Collecting & escrowing an Activation Lock Bypass Code DURING ENROLLMENT prevents Activation Lock from being an issue for organizations.

The only references to Activation Lock Bypass Code I have found in Fleet docs is here:

https://fleetdm.com/docs/using-fleet/mdm-migration-guide#activation-lock-bypass-codes

In that article there is a reference to this Apple support article:

https://support.apple.com/en-us/102541

I am not sure that the current Fleet article represents the fullest understanding of what an MDM solution CAN do in terms of preventing Activation Lock on managed devices. Typically, the code is not manually entered. It can be, but, the most common workflow is just for an org to ensure user's log out of iCloud. If there is no provision for this, iCloud becomes a major logistical problem for IT admins.

noahtalerman commented 6 months ago

I am not sure that the current Fleet article represents the fullest understanding of what an MDM solution CAN do in terms of preventing Activation Lock on managed devices.

@nonpunctual how do you think these docs can be improved?

the most common workflow is just for an org to ensure user's log out of iCloud

I think this is what we suggest in the docs? How could we make this clearer?

Also, is there a way to prevent an end user from logging into iCloud if their Mac isn't in ABM? Maybe via a profile?

nonpunctual commented 6 months ago

We can improve the docs I suppose but that is never going to prevent organizations that allow personal iCloud login from bumping in to this problem. By blocking iCloud users miss out on features of Apple devices they want to use. Orgs are not getting the full value of the devices. Many orgs make the choice to allow iCloud login because of this.

 has added iCloud continuity for managed Apple ID in Sonoma. https://support.apple.com/en-us/109030

The ultimate fix for this problem is manged Apple IDs for institutionally-owned, managed, supervised devices. This means that the org controls the Apple ID, therefore, not knowing Apple ID credentials would never cause a locked device, (ie, the org could always change the credentials to login.)

@noahtalerman Actually I found a really good recent article on what can & can't be done in terms of managing iCloud. Better than my explanation of it. :) Please check this out:

https://blog.kandji.io/managing-icloud-access

Until there is wide-spread adoption of MAID Implementing Activation Lock Bypass Code in Fleet is the best thing we can do to help customers maintain control of their devices. In the case of customer-Preston this is even more important as an MSP.

nonpunctual commented 6 months ago

I hesitate to ever say this but this seems to be a very straght-forward, easy implemetation with sample code & a simple API request / response. Customer on most recent call said this is a top priority for them. I also feel it's a table stakes feature. All major competitors seems to have it.

https://developer.apple.com/documentation/devicemanagement/device_assignment/activation_lock_a_device/creating_and_using_bypass_codes

https://developer.apple.com/documentation/devicemanagement/get_the_bypass_code_for_activation_lock

noahtalerman commented 6 months ago

Thanks for sharing those docs @nonpunctual!

Heads up, we didn't have the space to take this on in the current design sprint (4.48)

Please feel free to bring this one back to feature fest.

nonpunctual commented 5 months ago

customer-reedtimmer on 20240409 said that this feature is extremely important & expected for their iOS deployment.

nonpunctual commented 4 weeks ago

duplicate: https://github.com/fleetdm/fleet/issues/21231

noahtalerman commented 2 days ago

Closed this issue because it's a duplicate of the following issue:

I moved the customer/prospect labels from this issue to #21231

cc @nonpunctual @zayhanlon @pintomi1989 @dherder

fleet-release commented 2 days ago

Bypass codes in Fleet, Ease for IT, no locked seat, iCloud defeat, sweet.